Skip to content

Commit

Permalink
Disallow strings in limit() and offset()
Browse files Browse the repository at this point in the history 
Back in 68a08a2 int casts were removed in limit() and offset(). This
opened up the possibility for applications to provide unsafe user input
into these methods and create an injection vector.

We've been trying to narrow the accepted types, so instead of adding
casting I've added an exception when strings that are not number shaped
are provided.
  • Loading branch information
@markstory
markstory committed Jan 3, 2023
1 parent d229619 commit 3f463e7
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/Database/Query.php
View file
Expand Up @@ -1534,6 +1534,9 @@ public function page(int $num, ?int $limit = null)
*/
public function limit($limit)
{
if (is_string($limit) && !is_numeric($limit)) {
throw new InvalidArgumentException('Invalid value for `limit()`');
}
$this->_dirty();
$this->_parts['limit'] = $limit;

Expand All @@ -1560,6 +1563,9 @@ public function limit($limit)
*/
public function offset($offset)
{
if (is_string($offset) && !is_numeric($offset)) {
throw new InvalidArgumentException('Invalid value for `offset()`');
}
$this->_dirty();
$this->_parts['offset'] = $offset;

Expand Down
26 changes: 26 additions & 0 deletions tests/TestCase/Database/QueryTest.php
View file
Expand Up @@ -2218,6 +2218,32 @@ public function testSelectLimit(): void
$this->assertCount(2, $result);
}

/**
* Tests selecting rows with string offset/limit
*/
public function testSelectLimitInvalid(): void
{
$query = new Query($this->connection);
$this->expectException(InvalidArgumentException::class);
$query->select('id')->from('comments')
->limit('1 --more')
->order(['id' => 'ASC'])
->execute();
}

/**
* Tests selecting rows with string offset/limit
*/
public function testSelectOffsetInvalid(): void
{
$query = new Query($this->connection);
$this->expectException(InvalidArgumentException::class);
$query->select('id')->from('comments')
->offset('1 --more')
->order(['id' => 'ASC'])
->execute();
}

/**
* Tests selecting rows combining a limit and offset clause
*/
Expand Down

0 comments on commit 3f463e7

Please sign in to comment.